Control: affects 874029 + src:notmuch On Sat 2017-12-30 15:12:14 +0900, Mike Hommey wrote: > I can't tell you how many, but I can tell you that's how Mozilla does it > too, so this applies to firefox, thunderbird, nspr and nss:
notmuch does it as well: https://notmuchmail.org/releases/ https://notmuchmail.org/releases/notmuch-0.28.tar.gz.sha256.asc https://notmuchmail.org/releases/notmuch-0.28.tar.gz the right way to check it looks something like this (in bash): set -o pipefail set -x wget https://notmuchmail.org/releases/notmuch-0.28.3.tar.gz{,.sha256.asc} gpgv --keyring ./notmuch-signers.pgp --output - notmuch-0.28.3.tar.gz.sha256.asc | sha256sum -c - The advantage of this approach is that the *name* of the archive is signed in addition to its contents. This helps to prevent version fixation or version rollback attacks (where an attacker simply renames an old tarball and the matching signature to make it look like it is named the new version. --dkg
signature.asc
Description: PGP signature
